1 | 5 COIT20263 Information Security Management (HT2, 2019) Assessment Item 3 - Written Assessment Due date: 8:00 AM AEST, Monday, Week 12 ASSESSMENT Weighting: 40% 3 Length: 3000 words (±500 words)...

1 answer below »
this is the file



1 | 5 COIT20263 Information Security Management (HT2, 2019) Assessment Item 3 - Written Assessment Due date: 8:00 AM AEST, Monday, Week 12 ASSESSMENT Weighting: 40% 3 Length: 3000 words (±500 words) Objectives This assessment task relates to the Unit Learning Outcomes 3 and 4 and can be undertaken in a group of up to 4 members or individually. Distance students can form groups with on-campus students as well. In this assessment task, you will analyse the scenario given on page 3 and discuss in a report as to how you apply the principles of information security risk management as well as information security certification and accreditation to the organisation in the given scenario. Assessment Task You are required to analyse and write a report on a) guidelines for information security risk management b) guidelines for information security certification and accreditation for the organisation described in the scenario on page 3. You should ensure that you support your discussion with references and justify the content of your discussion. Your report should include: 1. Executive Summary 2. Table of Contents 3. Introduction 4. Discussion 5. Conclusion 6. References Note: You must follow the Harvard citation and referencing guidelines. Check the unit website at least once a week for further information relating to this assessment task. Please ensure that you write your report in your own words to avoid possible plagiarism and copyright violation. You can understand the Plagiarism Procedures by following the corresponding link in the CQUniversity Policies section of the Unit Profile. http://www.cqu.edu.au/?a=14032 2 | 5 Assessment Criteria You are assessed on your ability to apply the principles of information security risk management as well as information security certification and accreditation to the organisation in the given scenario. The marking criteria for Assessment Item 3 are provided on page 4. You need to familiarise yourself with the marking criteria to ensure that you have addressed them when preparing your report. Submission Each of you in the group must upload the same written report as a Microsoft Office Word file through the COIT20263 Moodle unit website assessment block on or before the due date. A group member who fails to submit the assessment item will not be awarded any marks for the assessment. Late submissions will incur the penalty as per university’s ASSESSMENT POLICY AND PROCEDURE. 3 | 5 The Scenario for Information Security Management Assessment Tasks FuturePlus is a newly established, independent charity organisation helping disadvantaged Australian students to continue their education, giving them a chance to a future full of possibilities. To start with, the support includes payments for tuition fees and educational supplies, as well as for student accommodations. However, the organisation plans to develop and offer more programs to help the disadvantaged students, for example, early intervention and tutoring programs. The costs are covered through public donations. FuturePlus collects one-off as well as monthly donations through their website equipped with a secure payment system. They also run special fund-raising drives twice a year by advertising about the event on national television, on their website, and via SMS and e-mails sent to donor list extracted from their donor database. To manage the operations of the organisation, they have recruited both full-time as well as casual staff. The full-time staff consist of an Operating Manager, an Accountant, a Planning Officer, two Case Officers, and three support staff. There are three casual staff providing extra support to the Case Officers with eligibility checks and visits to the candidate students, also providing updates on students who receive help from FuturePlus. However, the organisation is planned to grow in the number of staff members, and students they support in the next few years. FuturePlus operates from Sydney CBD, occupying one floor of a high-rise building. They have got their network designed and rolled out by your company, with all the servers located in their premise, and have employed your company to provide them ongoing network support. Their office network site is connected to the Internet via 5G cellular wireless technology. They require their database servers and the website to be up and running 24/7. FuturePlus provides their casual staff with portable devices to take on-site case notes during their site visits and send these to the office via secure communications. Since they store sensitive information about their donors, students receiving donations, as well as payment details such as bank account and credit card information, it is of utmost importance that their servers and communications over the Internet are completely secure. FuturePlus has requested your company’s service of designing a suitable information security program for their organisation. Note: This scenario was created by Dr Jahan Hassan on the 11th of June 2019 and no part of this scenario should be reproduced by any individual or an organisation without written permission from CQUniversity, Australia. . 4 | 5 Marking Criteria Section HD D C P F Max Mark Mark Obtained 5 4.5 4.25 4 3.75 3.5 3.25 3 2.5 2 0 Executive summary Summarised all key information of the report. One or two key information missing. Three key information missing. One or two key information missing. Three key information missing. Most key information missing. No Executive Summary. 5 Very clear writing with no mistakes. A few spelling or grammar mistakes. Several spelling or grammar mistakes. Very clear writing with no mistakes. Several spelling or grammar mistakes. Very clear writing with no mistakes. Several spelling or grammar mistakes. Not clear. Not clear. HD D C P F 5 4 3.5 3 2 0 Table of contents (ToC) Used decimal notation. Included all headings and page numbers. Used ToC auto-generation. Used Roman i for the Executive Summary page. Executive Summary was before the Introduction. Used a new page. One feature missing. Two features missing. Three features missing. Four or more features missing. ToC missing. 5 HD D C P F 5 4.5 4.25 4 3.75 3.5 3.25 3 2.5 2 0 Set the scene for the report and described the purpose clearly. Explained the research method used. Outlined the sections of the report. Started from a new page. Contained all information but not enough detail. Some information missing but enough detail given. Some information missing and not enough detail. Most information missing. No Introduction. 5 Introduction Very clear writing with no mistakes. A few spelling or grammar mistakes. Several spelling or grammar mistakes. Very clear writing with no mistakes. Several spelling or grammar mistakes. Very clear writing with no mistakes. Several spelling or grammar mistakes. Very clear writing with no mistakes. Several spelling or grammar mistakes. HD D C P F 20 18.5 17 16 15 14 13 12 10 8 0 Discussion Thorough and detailed discussion supported by in-text references and justifications. Contained all information but not enough detail. Some information missing but enough detail given. Some information missing and not enough detail. Most information missing. Irrelevant information. 20 Very clear writing with no mistakes. A few spelling or grammar mistakes. Several spelling or grammar mistakes. Very clear writing with no mistakes. Several spelling or grammar mistakes. Very clear writing with no mistakes. Several spelling or grammar mistakes. Very clear writing with no mistakes. Several spelling or grammar mistakes. HD D C P F 5 | 5 5 4 3.5 3 2 0 References All references are listed according to Harvard reference style. All references are listed but a few referencing errors. Not all references are listed but correctly referenced. Many references missing. Incorrect reference list. No reference list. 5 Plagiarism penalty Late submission penalty Total 40
Answered Same DaySep 22, 2021COIT20263Central Queensland University

Answer To: 1 | 5 COIT20263 Information Security Management (HT2, 2019) Assessment Item 3 - Written Assessment...

Kuldeep answered on Oct 04 2021
133 Votes
Information Security
IS
Information System
Student Name:
University Name:
Unit Name:
Date:

Executive Summary
Information Security means protecting data and information system from unofficial access, utilize, disclosure, destruction, destruction or modification. IS management is the process of defining safety controls to protecting a data assets. The implementation of IS in the organization includes six main activities: policy growth, understanding responsibilities and roles, appropriate IS design, usual monitoring, safety awareness, education and training. Now, in the order to attain reliable data security, basic control factors within the associations are needed. Security controls also include non-technic
al and technical controls. This report covers IS risk management standards or guidelines moreover information safety certification and accreditation guidelines.
Contents
Introduction    4
Discussion    5
Guidelines for information security risk management    5
Guidelines for information security certification and accreditation    8
Information Security Procedures, Policies and Strategies    12
Conclusion    13
References `    14
Introduction
FuturePlus is a newly formed independent charity designed to help disadvantaged Australian students continue their education and give them the opportunity to move towards an opportunity-rich future. First, support includes paying tuition and educational supplies moreover student accommodation. However, the organization plans to expand and provide more programs to help disadvantaged students, such as early intervention as well as mentoring programs. Fees are paid throughout the public donations. FuturePlus collect one-time and monthly donations through a website with a safe payment system. They also advertised the event twice a year through national television, advertising on their website, and sent it to the list of donors from the donor database via SMS and email to manage the organization’s operations, twice a year. The full-time staff includes operations executives, an accountant, a plan officer, and two case managers and three support staff. A total of three temporary staff members provide additional support to the case officer, including qualification checks furthermore visits to candidate students, as well as up-to-date information on students who receive assistance from FuturePlus. However, the organization plans to increase the number of employees and the number of students they support in the next few years. Future Plus operates in the Sydney CBD and occupies a high-rise building. They have designed and deployed the network by FuturePlus Company; all servers are located inside and hired FuturePlus to provide them with ongoing network support. Their office network sites connect to the Internet via 5G wireless technology. They require their database servers as well as websites to run 24/7. FuturePlus provides temporary equipment for temporary employees to record on-site case records when they conduct on-site visits and send them to the office via secure communications. Because they store delicate data about employees and their salary details for example bank accounts and credit card information, it's critical that their communications and servers over Internet are safe. FuturePlus has asked companies to provide services to design appropriate information security procedures for their organizations.
Discussion
Guidelines for information security risk management
FuturePlus ISRM Guide
ISRM is a process of managing the risks associated with the use of IT.
In other words, the organization needs to:
1. Identify security risks, including the type of computer security risk.
2. Identify the “system owner” of the key asset business.
3. Assess the company's acceptable risks and risk tolerance.
4. Develop a network security incident response planning.
ISO / IEC 27005 is an important standard, although approximately two-thirds of the content consists of attachments with examples and other information. No criteria are specified and it is recommended not to specify a detailed risk management method. However, it does mean a continuous process consisting of a series of structured activities, some of which iterative:
1. Establish a risk management environment (like compliance obligations, scope, methods to be used, and related policies and standards, for example organization's risk tolerance and appetite);
2. Quantitative or qualitative assessment (that is identification, analysis and assessment) of relevant information issues or risks, consider information assets, existing controls threats, as well as vulnerabilities to identify the likelihood of an event or event scenario and expected business consequences (in case occurred) , determine the "risk level";
3. Use risk levels to properly handle risks;
4. Let stakeholders understand the situation throughout the complete process; and
5. Continuously monitor as well as review risks, risks management, obligations and standards, identify and respond appropriately to major changes.
A number of appendices provide more information, mainly examples, to illustrate the recommended move toward. Third edition of ISO/IEC 27005 was released in 2018. This is “minor revision” and is a temporary interim measure that has undergone extremely limited changes primarily through reference to ISO/IEC 27001. The project to modify/rewrite the standard is not progressing enough, has been canceled, and then restarted. The fourth edition of "27005" is being developed. It is hoped that the 4th edition of ISO/IEC 27005 will be released at same time as the next edition of ISO/IEC 27001 to support updated ISMS specification, but it is not guaranteed. Many comments indicate that the project once again embarked on the difficult road of Kan Rock in the winter. When it comes to opportunities, rewriting 27005 provides a once-in-a-lifetime opportunity to reorganize SC 27 and reorganize it into IS risk management standards, where and “information risk” can be defined by “information-related risks”. "This will remove, among other things, "information security risks" that are curious about "standard information security." Therefore, organizations will determine information security goals based on information security policies to achieve specific results." Therefore, the combination of the two as a result, information security risks is defined as “uncertainty”. Re-established information risk management standards can form the basis of ISO/IEC 27001. The whole ISO27k approach is consistent with risk, identifying, assessing, and processing information issues and risks is an essential element, so information risk management standards are critical.
Five steps to building a successful ISRM process:
Business awareness: FuturePlus have to know the whole business status of the organization, for example budget consideration, complexity of the people and business process (Mpaata, Basemera and Rulangaranga, 2016). FuturePlus need to believe the association risk profile and describe in detail each of the risks it faces moreover its threats tolerance the stage of risk that is prepare to be accepted to attain its goals (Awdah, Jasmeen and Alexander, 2017).
Guidelines for company: FuturePlus needs to...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here